A blockchain-based certifiable anonymous E-taxing protocol

The security of the tax system is directly related to the development of a country. The conventional process of tax payment laborious steps, so this process becomes a cause of irregularities among taxpayers and tax authorities, increasing the rate of corruption in tax collection. Blockchain, as a distributed ledger technology, its unique advantages and promising applications in taxation offer an effective solution to the problems of electronic taxation. However, the transparency of blockchain exists the risk of privacy disclosure, the high degree of anonymity brings the problem of lack of user supervision. Therefore, for balancing the contradiction of taxpayer privacy and supervision, we propose a blockchain-based self-certified and anonymous e-taxing scheme, which uses blockchain as the underlying support, and utilizes cryptography technology such as self-certified public key, Diffie-Hellman, to reduce the taxpayer′s reliance on the certificate authority, and protects the taxpayer′s anonymity while realizing the tracking of the real identity of malicious taxpayers. The security analysis proves that the scheme has the properties such as anonymity, conditional privacy and unforgeability, etc. Finally, performance analysis shows that compared with similar schemes, the scheme significantly improves the registration efficiency, proving its practicability and implementability.


Introduction
At present, in many countries, taxation is an important avenue for governments to raise funds to finance their projects and programmes [1]. It has become a major source of public revenue, and its healthy and stable development plays an important role in the macroeconomic regulation of the country. Consequently, providing a secured system should be our first priority. Traditional paper tax is not only tedious and inefficient, but also cannot efficiently realize the cross-territory and cross-space taxation mode. Over the years, with the development of the economy and society and the diversification of market subjects, the mode of tax collection and management keeps pace with the times. Governments have invested a lot of resources to replace the traditional paper tax collection model by adopting electronic filing, which has not only improved tax collection efficiency but also facilitated tax compliance [2]. However, with the diversification of taxpayer types, multidimensional demand and business diversification, tax collection has also brought new challenges: the opaqueness of data worsens the asymmetry of tax information; over-reliance on centralization makes it difficult to trace the nature of things in real time across regions and subjects. If tax authorities and taxpayers do not trust each other in handling data, it will be more difficult to implement a centrally administered tax system. In particular, a recent report shows that the European Union lost 152 billion euros only in 2015 due to inadequate tax collection systems (https://news.fx678.com/201709280602501445.shtml).
In recent years, some multinational companies have taken advantage of the differences in tax rates between countries to evade tax, with Alphabet 0 s Google transferring 15.9 billion to Bermuda Shell companies in 2016, successfully avoiding $1 billion in taxes (https://www.yicai.com/ news/5388587.html). Therefore, we urgently need a more complex, efficient and scientific tax system. With the advent of the era of big data, blockchain technology came into being and attracted wide attention from various countries. Various countries began to study how to use blockchain technology to accelerate the pace of tax collection. Blockchain is not only a new carrier to improve tax efficiency and quality, but also provides new ideas for the future development of tax collection and management. Blockchain, as a distributed database, has the characteristics of anonymity, consensus, traceability, transparency, decentralization [3]. It fits perfectly with the tax system and provides new ideas for improving tax collection efficiency, informatization of taxation and perfecting the taxation system. The specific applicability is as follows: the distributed database solves the problems of data storage space limitation and data island between different systems; the decentralization of blockchain realizes tax information sharing, overcomes the problems of difficult verification of tax information and weakening of single centralized storage; the traceability and non-tamperability of transaction data solves the problems of data dispersion and difficult query, and helps to establish an open and transparent tax database.
Blockchain-based e-tax applications are currently receiving widespread attention. In [4][5][6], blockchain technology has been employed to create decentralized applications that track value-added tax(VAT) transactions of businesses, which can not only effectively track whether and where VAT has been paid, but also reduce tax compliance costs for businesses and individuals, improve taxpayer compliance and the ability of tax authorities to supervise microtransactions. Moreover, Saragih and Setyowati [7] discuss the benefits of blockchain in the tax administration, and the factors affecting blockchain technology in tax administration. In the tax system applied by blockchain technology, it provides effective solutions for the problems existing in e-tax, such as tax information disclosure, tax collection and tax service. Demirhan [8] proposes to create smart contracts with different types of tax algorithms in a blockchainbased tax model, which can coordinate records between multiple parties in real time and automatically, prevent inefficient tax operations and reduce or prevent fraud among parties involved in the management chain in e-tax. Tasca et al. [9] also mention that smart contracts in blockchain technology enable the validation and automation of tax returns, significantly reducing the risk of tax avoidance, fraud and evasion. Currently, many people consider that security, privacy, costs, and regulatory issues are the greatest challenges acing the current information age [10]. Preserving user privacy is a critical issue when it comes to collecting and handling highly sensitive personal data [11]. Many academics have discussed how to use blockchain to protect user privacy in various scenarios, for example, healthcare [12,13], vehicular ad hoc networks(VANETs), e-ticketing, etc. However, while the anonymity of blockchain protects user privacy, it also provides an umbrella for some illegal and criminal acts. For example, in blockchain-based electronic tax applications, it is unable to track illegal transactions by linking the transaction records to the relevant traders, which makes auditing difficult and tax evasion cannot be detected and stopped in time. The open and transparent function allows any node on the network to view and supervise the tax information on the blockchain. Although it solves the problem of difficult and slow detection of counterfeit tickets, there may be unscrupulous elements to infer the taxpayer 0 s wallet address, identity information and lifestyle habits by analysing the tax pattern [14]. Security is the most significant one where the user 0 s details are highly confidential from both legal and ethical sides. Article 34 of Act No. 28 of 2007 on general provisions and procedures for taxation sets out the importance of keeping tax data confidential [7]. The provisions described in the Act show that the security of taxpayers' data is crucial and should be seriously considered.

Our contribution
Based on the aforementioned challenges, the main contributions of this paper are summarized as follows.
1. We propose a blockchain-based self-certified and traceable e-taxing scheme that verifies the authenticity of taxpayers without revealing their true identity, thus balancing the contradiction of taxpayer privacy and supervision.
2. We provide a conditional privacy protection, i.e. certificate authority can track misbehaving taxpayers in e-tax and revoke the true identity of misbehaving taxpayers from causing any further damage.
3. We propose an efficient self-certified scheme that self-certified public key [15] system instead of the certificate-based public key system. The scheme not only reduces the amount of public key storage and computation, improves the registration efficiency of the system, but also reduces the security risk by reducing the dependence on the certificate authority, so that the scheme has higher security.

Organization
The remainder of this paper is organized as follows. First is an introduction that the necessary preparations. Next, we describes the related work, the system model and security requirements. This is followed by construction of the scheme. The next section describes the security analysis of the protocol. The conclusions of protocol are presented at the end of the article.

Related works
The lack of privacy protection and data leakage will raise many problems for blockchain-based e-tax systems. Some scholars have also taken measures to improve the privacy of taxpayers. Considering that efficient tax models require a trade-off between privacy and transparency, Hoffman et al. [16] propose a blockchain that can implement an access control policy by deploying a set of global smart contracts on a federal ledger managed on the chain, defining each node 0 s role and access to data. This policy not only solves a single point of failure for the entire system, but also avoids errors and delays in processing tax data on a global scale. Fatz et al. [17] propose a conceptual design of confidentiality and distributed tax document exchange system, stating that zero-knowledge proofs solves the dilemma between transparency and confidentiality in tax systems. Magdalena [18] achieved taxpayer anonymity by adding a serial number to the e-ticket, thus avoiding the reuse of tax slips by malicious users and tying the taxpayer 0 s identity information to the tax slip to prove its uniqueness. Li and Niu [19] established a federated block-based chain-based e-ticketing system that not only uses ring signatures to achieve anonymity in a hybrid currency protocol, but also guarantees the unforgeability of tickets through multiple signatures. Although the above scheme improve the protection of user privacy, it does not consider how to balance the contradiction between anonymity and accountability, and still face the challenge of difficult supervision. However, in the existing work, some scholars have discussed the application of balancing anonymity and traceability in other scenarios, such as, wireless body area networks(WBANs) [20], roaming service [21]. In addition, in [22] proposed conditional tracking mechanisms for VANETs, and used an efficient anonymous two-way authentication scheme. In addition, in [23] proposed an anonymous authentication scheme for wireless body area networks based on low-entropy password, which proved its security in the random oracle model. In [24] through secure authentication code transfer between the consecutive roadside unit. In fact, these anonymity schemes are based on the Diffie-Hellman problem under discrete logarithms, whereas the security of our scheme is based on the Diffie-Hellman assumption under elliptic curves, which is much more difficult than the Discrete Logarithm Problem over Finite Fields [25]. Furthermore, different from [23], the security proof in our scheme on anonymity is under the generic group model.

One-Way Hash Function Assumption(OWHF)
Let H(�) be a one-way hash function [26]. We assume that the input of the hash function is randomly and uniformly distributed, and the output is also randomly and uniformly distributed.

Elliptic Curve Diffie-Hellman (ECDH)
It is a simulation of Diffie-Hellman [27] key change in a finite field and based on Elliptic Curve Discrete Logarithm Problem(ECDLP). In elliptic curve the public parameters P as a generate in group G, given any point (P, aP, bP)2G, a, b 2 [1, n − 1]. It is difficult to compute abP. The advantage of adversary A in solving ECDH problem is defined as: For any polynomial-time, no adversary A can solve the ECDH problem with non-negligible advantage.

Non-interactive zero-knowledge proofs
Non-interactive Zero-knowledge Proofs(NIZK) [28] is a delicate cryptographic protocol, which usually studied in the common reference string (CRS) model.
Let (ω, x)2R be a binary relation, where x is a common reference string and ω is a witness for x. A prover to generate a proof and convince the verifier that he indeed knows a certain quantity ω satisfying (ω, x)2R without leaking any additional knowledge of the secret. Informally, the NIZK satisfies the following properties [29].
• Completeness. A prover can generate a proof such that it can be passed through the verification by the verifier with probability 1.
• Computational soundness. No polynomial-time adversary is capable of forging a valid attestation that can be accepted by the verifier ith non-negligible probability.
• Zero-knowledge. The procedure only reveals the statement rather than any secret.

Smart contact
Smart contacts are automatically stored and executed in the blockchain as part of a transaction, which has a better security system than the traditional paper contacts [30]. The necessary fairness and credibility can be ensured directly through the performed partially or fully self-executing of contractual clauses.
In [31], it is discussed that the new data capabilities and possibilities of smart contract applications in tax management. In the blockchain distributed network [32], each node, i.e., the tax authority, deploys the relevant smart contract and publishes the taxpayer 0 s tax payment information. Then the user executes the smart contract to know the amount of tax to be paid. All the execution results are recorded as a transaction, which is irreversible and traceable. Meanwhile, each node will update the duplicate locally based on the current execution result after running the smart contract. Its secure distributed environment makes smart contract widely used in practice.

System model and security requirements
In this section, we describe the system model and system components of the blockchain-based certifiable anonymous e-taxing protocol. Then we introduce the related security requirements.

System model
As shown in Fig 1, four entities are involved in our system, namely, the certificate authority, the tax authority, the taxpayer and the smart contract.
• Certificate Authority, identified by CA, is mainly to initialization of system parameters.
Moreover, CA is responsible for issuing certificates and maintaining the list of eligible registrations, authenticating and managing taxpayers' identity, and revealing the true identity of misbehaved taxpayers.
• Tax Authority, identified by TA, deploys smart contracts and publishes the tax payment information of the corresponding taxpayer to smart contracts.
• Taxpayer, identified by TU, registers with CA to become a legal taxpayer and executes the smart contract to know the tax amount.
• Smart Contract, identified by SC, resemble the third-parties (e.g. brokers) involved in a deal, ensuring trust among the parties. Specify detailed rules for each role based on pre-determined set of conditions.

System components
A blockchain-based certifiable anonymity e-taxing protocol consists of the following polynomial-time algorithms Setup, Register, Declare, Audit and Trace.
• Setup(λ) ! (PP, (P CA , S CA )(P TA , S TA )). The setup algorithm is a function that takes as input a security parameter λ, and outputs the system public parameters PP, CA 0 s key pair (P CA , S CA ) and TA 0 s key pair (P TA , S TA ).
This is an interactive protocol between a taxpayer and CA, which takes the system public parameter PP, a taxpayer 0 s real identifier RID i , CA 0 s key pair (P CA , S CA ) as input, and outputs the taxpayer 0 s pseudoidentity ID i (i.e. tax identification number), private key S TU i and self-certified key c i .
This is an interactive protocol between a taxpayer and TA, which takes the system public parameter PP, taxpayer 0 s private key S TU i , tax authority 0 s public key, P TA taxpayer 0 s pseudoidentity ID i , the tax return M i 2 {0, 1} � and timestamp T i . It output a signature σ i and ciphertext C i .
The algorithms takes the system public parameter PP, the CA 0 s public key P CA , the taxpayer 0 s ID i , timestamp T i and its self-certified key c i , signature σ i , ciphertext C i as input. It outputs 1 if the tuple is valid and 0 otherwise.
• Trace(PP, S CA , ID i ) ! RID i . This algorithm is performed by CA. It takes the system public parameter PP, CA 0 s private key S CA , and the taxpayer 0 s pseudoidentity ID i as input. It outputs the corresponding a malicious taxpayer 0 s real identifier RID i .

Security requirements
A blockchain-based certifiable anonymous e-taxing protocol requires the following properties.
• Anonymity. Taxpayers should be kept anonymous when paying taxes, and no one can link a tax return to a true identity of taxpayer.
• Unforgeability. No one can forge taxpayer 0 s certificate and signature, only certified taxpayers can generate a tax return correctly.

PLOS ONE
• Traceability. When a illegal tax return is found, the misbehaved taxpayer 0 s identity can be tracked and exposed by the certificate authority.
Anonymity. Anonymity of a blockchain-based certifiable anonymous e-taxing protocol is an essential security property. Given a tax identification number, no adversary except CA could associate the true identity of the taxpayer with the tax identification number with nonnegligible probability.
Anonymity for e-taxing schemes is defined as the following game between the Challenger C and the Adversary A. A is given access to an register oracle. Here A is functional in two phases, a choose phase and a guess phase.
Definition 1 (Anonymity). A blockchain-based certifiable anonymous e-taxing protocol satisfies anonymity if for any polynomial-time adversary A, its advantage Adv Anony A ðlÞ is negligible in winning the following game.
EXP Anony The ID 1 , ID 2 were not queried to register oracle in the choose stage. Unforgeability. We now provide a rigorous definition of security by defining the Unforgeability, Experiment, which requires that no adversary can forge a valid signature, even if it obtain one or more certified address by compromise the CA/Taxpayer.
Unforgeability for e-taxing schemes is defined as the following game between the Challenger C and the Adversary A. In this game, our definition is adaptive and allow the adversary to adaptively choose a tax return existing in the forgery. A is given access to an register oracle and a sign oracle. Here A is functional in two phases, a choose phase and a guess phase.
Definition 2 (Unforgeability). A blockchain-based certifiable anonymous e-taxing protocol satisfies Unforgeability if for any polynomial-time adversary A, its advantage Adv Unfo A ðlÞ is negligible in winning the following game.  Traceability. Traceability for the proposed protocol is also a core security requirement, this ensures that even if all tax authority and malicious taxpayer collude, they cannot produce a signature that traces to an honest taxpayer whose personal secret key has not been learned by the adversary.
Traceability for e-taxing schemes is defined as the following game between the Challenger C and the Adversary A. A is given access to an register oracle and a sign oracle. Here A is functional in two phases, a choose phase and a guess phase. A corrupts a set Co of taxpayers adaptively.

Definition 3 (Traceability). A blockchain-based traceable certified e-taxing protocol satisfies traceability if for any polynomial-time adversary A, its advantage Adv Trace
A ðlÞ is negligible in winning the following game.

The proposed scheme
In this section, we introduce the concrete construction of a blockchain-based certifiable anonymous e-taxing protocol. The protocol consists of five parts: Setup, Register, Declare, Audit and Trace.

A. System initialization
To setup the tax system, CA initializes the system parameters and generates his public/private key pair, and TA deploys the smart contract on the blockchain. Specifically, the following steps are executed.
• Pick a random λ as the security parameter, and M 2 {0, 1} � as a identifier of the tax return.
• CA choose a cyclic group G 1 with prime order q, where G 1 is generated by P. TA chooses an elliptic curve E defined over Z p where p is a prime. Let G 2 E(Z p ) be a base point of order n which is a prime. The reduction function be some function f: < G > ! [0, n − 1], and f(R) = x R modn where x R is an integer representation of the x-coordinate of the elliptic curve point R.
• CA selects S CA 2 Z � q at random as CA 0 s private key, and computes P CA = S CA � P as CA 0 s public key. TA selects chooses S TA 2 Z � q as TA 0 s private key, and computes P TA = S TA � P as TA 0 s public key.

B. User registration
A user needs to register to become a legitimate taxpayer TU i . First, taxpayer generates a random pseudoidentities(i.e. tax identification number) based on ECC, which is unique, then performs the process of registration phase based on self-certified public key.
• Taxpayer 0 s real identity RID i 2 G 1 , each taxpayer randomly selects k i 2 Z � q and computes A i = k i � P, let ID 1 i ¼ hðA i Þ, and ID 2 i ¼ RID i � hðk i � P CA Þ � P. Taxpayer 0 s pseudoidentity ID i ¼ ðID 1 i k ID 2 i Þ, which allows only CA to reveal the real identity RID i of taxpayer. Each taxpayer stores a pseudoidentity ID i , and sends {ID i , A i } to CA.
• CA maintain an initially-empty registry list. CA randomly selects k 0 i 2 Z � q and computers the components of taxpayer 0 s secret keys by After that, CA sends the value x � i and c i to taxpayer. • Taxpayer computes the private keys x i ¼ ðx � i þ k i Þmodq, and extracts public key y i by computing the following equation

• The certified address A is the value h(c i ).
• CA adds (ID i , c i ) to the maintained registry list.
The correctness of the public key derivation follows. • TU i signs on the M i , randomly selects d 1 2 [0, n − 1], then computes σ 1 and σ 2 . The specific steps are as follows.
• TU i encrypts the M i with the P TA , randomly selects d 2 2 [0, n − 1], then computes Where the signature on tax return M i is σ i = (σ 1 , σ 2 ), the ciphertext is D. Auditing TA verifies the information received. First check the validity of TU 0 i s certified address A, then look up ID 0 i s public key y i by the maintained list. If it holds, the ID i is an certified legal taxpayer; otherwise, this step is terminated. TA computes as follows.
• check that • decrypt the tax return by computing

PLOS ONE
If the equation holds, the signature is accepted; otherwise the signature is invalid.

E. Trace
CA traces the identity of illegal taxpayer with his private key S CA . Consequently, the malicious taxpayer 0 s real identity can be easily derived by locating the registry list maintained by CA.
• Firstly, TA runs the Auditing algorithm to verify the given signature. If the signature is invalid, it terminates.
• After TA submits the illegal taxpayer 0 s ID i to CA, then CA computes RID i ¼ ID 2 i � hðA i � S CA Þ � P by using his private key.

Security analysis
In this section, we describe the security analysis of proposed protocol by giving some theorem and security proofs. Theorem 1 are against the anonymity. Theorem 2 targets the identity privacy protection. Theorem 3 and 4 are against the unforgeability, and Theorem 5 are against addresses conditional privacy protection. We shall prove that the proposed schemes can satisfy these security properties and successfully withstand the corresponding attacks.

Theorem 1. The proposed protocol satisfies anonymity if ECDH problem and OWHF assumption holds.
proof. Assume that A anony is an adversary against the anonymity of the proposed protocol with an non-negligible probability λ in the probabilistic polynomial time, then we can construct an example the ECDH problem (aP, bP, abP), where a; b 2 Z � q , the algorithm I anony simulate the challenger to solve the ECDH problem. Setup Phase. I anony executes the initialization algorithm to generate system public parameters and sends to A anony , A anony can operate a polynomial-bounded number of the following queries the register oracle and sign oracle while the I anony returns the corresponding response as follows. Register Phase. Firstly, A anony randomly selects the identity index i 2 I 1 , where I 1 is a group of users, and sends to I anony for registration query. I anony calls the registration algorithm and returns (ID i , A i , c i ). A anony could make at most m register queries. Hash Query. I anony will maintain a hash list, A anony randomly selects Q i to query the hash oracle O Hash . If tuple (i, Q i , Z i ) exits in the hash list, then I anony returns the corresponding Z i as the response result. Otherwise, I anony returns a randomly selected element Z i 2 Z � q as a response. Meanwhile, I anony will maintain a hash list and update after each query to ensure identical response to repeated hash queries. A anony could make at most n register queries. Challenge Phase. In the phase, the A anony chooses two taxpayer 0 ðRID i 0 ; RID i 1 Þ to request anonymity challenge. I anony runs register algorithm and randomly selects j 2 {0, 1} to generate corresponding (ID j , A j , c j ), then sends A anony . Guess Phase. A anony outputs a bit j 0 . Then I anony outputs j 0 as the answer to its ECDH challenge. We note that I anony gets the correct answer in the indistinguishable experiment when A anony wins the anonymity game. The probability of solving the ECDH problem with success is Pr½IðaP; bPÞ ! abP� ¼ Adv anony ðA anony Þ � Pr½j ¼ j 0 � � Pr½IðZ j Þ�. If I anony successfully solves the ECDH problem, the following conditions need to be met: 1. A anony correctly chose j 0 , that is Pr[j = j 0 ] = 1/2; 2. Z j satisfies (j, Q j , Z j ), so Pr½IðZ j Þ� � 1=n. Then Pr½IðaP; bPÞ ! abP� ¼ Adv anony ðA anony Þ � Pr½j ¼ j 0 � � Pr½IðZ j Þ� � l � ð1=2Þ � ð1=nÞ ¼ l=2n The advantage of I anony in breaking the ECDH is non-negligible, which contradicts the ECDH hypothesis, so the scheme satisfies anonymity.

Theorem 2. The proposed protocol satisfies identity privacy preserving if no
A can obtain the taxpayer 0 s secret identity information form the public information. proof. We will discuss our security properties in the following two different scenarios. Scenario 1. This scenario occurs mainly in the registration phase, if the A wants to get the components of the private key from the CA, which means he/she needs to deduce the equation However, there is two unknown values k 0 i and S CA , where k 0 i is randomly and uniformly distributed, and solving the S CA is comparable to solving the ECDLP. Therefore, it is impossible for an adversary to get a portion of the taxpayer 0 s private key. Scenario 2. This process occurs mainly between the A and the taxpayer TU i , where TU 0 i s private key x i . In registration phase, A needs to deduce the equation y i = x i � P = c i + e i � P CA , apparently, it is as difficult as breaking ECDLP to obtain taxpayer 0 s private key x i . Even though in the first scenario, the A successfully obtains a portion of the TU 0 i s private key from the CA, is uniformly randomly distributed. Therefore, in this scenario, the probability of a successfully attacked adversary is negligible.
The proof of unforgeability in this section can be divided into certificate unforgeabiity and signature unforgeability.

Theorem 3. The proposed protocol satisfies certificate unforgeability if ECDLP assumption holds
in Generic Group Model(GGM) [33] proof. Inspired by the proof of certificate unforgeability in [34], our proof is shown as follows. Setup Phase. I certÀ unfo generates public parameters by executing setup algorithm. Then it forwards the system public parameters PP to A certÀ unfo . A certÀ unfo can operate a polynomial-bounded number of the following queries and I certÀ unfo returns the corresponding response as follows. Register Queries. In the register phase, A certÀ unfo randomly makes register query to the register oracle O reg for the public/private key pair of the taxpayer at index i. The Forge. Finally, the A certÀ unfo forges a corresponding key pair (c j , x j ), where (c j , x j ) has never been queried. Let F i be the unique appearance in the list, without loss of generality. From the hardness of ECDLP, there does not exist a index i such that F i = F j modq, a random value is returned by the oracle, because F j represents a query for a new encoding at step j when the encoding oracle is called. In other words, the probability of successful forgery, that σ(F j ) = c j , is negligible. Therefore, no efficient, generic adversary forged successful if given only a polynomial number of queries.
Adversary A sigÀ unfo saves the tuple {M i , ID i , T i , σ i } and forges a new signature of known message {M i , ID i , T i }, that is, the A sigÀ unfo outputs fM i ; ID i ; T i ; s 0 i g in polynomial time. Where the hash value of the message in the two signatures constructed is the same. According to the forked Lemma [35], two signatures need to satisfy: Þ Through the above formula, we can get ÞÞ=s 0 2 modq, which is equivalent to solving the ECDLP problem. Therefore, there is no efficient, generic adversary A sigÀ unfo that achieves a non-negligible probability of break the signature unforgeability. Only the CA can reveal the real identity of the taxpayer based on the unique tax identification number. The pseudoidentities ID i consists of ID 1 i and ID 2 i , where ID 2 i ¼ RID i � hðk i � P CA Þ � P. No one knows CA 0 private key S CA , unless the A solves ECDLP, so no one except CA can decrypt to get the TU 0 i real identity. Whenever the authentication fails, our solution could make his/he identity to be forcibly disclosed to the public in an ingenious way so as to enable the illegal actions can be avoided, thus balancing accountability and anonymity, achieving the security property of conditional privacy.

Implementation
In this section, we analyze its security advantages and disadvantages of the proposed protocol by comparing with other scheme. In addition, we tested the time cost of each phase in the simulation experiment, which proves its practicability and implementability.

Safety comparison
In the scheme proposed in [18], RSA signatures and group signatures are used to achieve identity anonymity and transaction unforgeability, but the certificate unforgeability is not provided. The scheme proposed in [19] is based on multi-signature to realize the anonymity of users and the unforgeability of transaction, which also does not have the security property of unforgeability of certificates and does not provide traceability. Combined with the security analysis of the previous section, we derive the comparison of the security performance of the three scheme. As shown in Table 1.

Performance analysis
1. Environment. We conducted the implementation on a desktop loaded with Win 10 operating system and Intel(R) Core(TM) i5-8265U CPU 1.60GHz, 8.00GB RAM. All our evaluations were performed by programs in Python language.
2. We evaluate the time cost of operations in each phase for each taxpayer, including Setup, Register, Declare, Audit, Trace, and running 100 times to take an average. As shown in Fig  3. The time cost of Setup is about 0.140s, containing system setup, CA and TA generates his key pair separately. A user who want to become a legal taxpayer has to register, which takes about 0.355s, also tested the time costed for NIZK proof is 0.253s. We evaluate the specific time consumption of each step in declare and audit phase, including signature and verify of the tax return, where the time cost is the 0.064s and 0.126s, and the encryption and decryption times were 0.198s and 0.128s respectively. Finally, the time cost of the tracing phase is 0.124s.
3. we increase the number of taxpayers to test time cost. In the registration phase, the time cost of self-certified public key technology and certificate based public key technology are compared, as shown in Fig 4. The results show that the time costs of both increase almost linearly with the number of users, but the self-certified public key technology is more efficient and has better performance in the multi-user case.
4. Testing the time cost of multi-user at each phase. Because the initialization algorithm is executed only once in the whole process, the implementation of the initialization algorithm with multi-user is not considered here. As shown in Figs 5 and 6, where the time consumption of each algorithm tends to increase as the number of users increases. And, in the whole scheme, the zero-knowledge proof algorithm and the encryption algorithm take longer time compared with other phase, but on the whole, the execution time of scheme have higher efficiency.

Conclusion
In this paper, we propose a blockchain-based certifiable anonymous e-taxing protocol, that guarantees the security requirements of anonymity, unforgeability, and traceability. Our scheme preserve the main merits of elliptic curve cryptography and self-certified public keys, there is no digital certificates, which reduces the reliance on certificate authority, and tax authority can implement implicit verification of certificates while verifying signatures, thus reducing security risks. In addition, the scheme takes advantage of pseudoidentities to achieve conditional privacy, further balancing anonymity and traceability. Finally, we list the security

PLOS ONE
features and some security proofs, the security analysis proves that the scheme has the properties such as anonymity, conditional privacy and unforgeability, etc. Meanwhile, the performance analysis shows that compared with similar schemes, the scheme significantly improves the registration efficiency, proving its practicability and implementability.